#!/bin/bash

if ! grep user_00 /etc/shadow
then
    useradd user_00
    usermod -g wheel user_00
    sed -i '/^ *%wheel/c\%wheel ALL=(ALL)       NOPASSWD: ALL' /etc/sudoers
fi
if ! grep 36000 /etc/ssh/sshd_config
then 
    echo '
Port 36000' >> /etc/ssh/sshd_config
fi

cp -av /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules.$(date +%F_%s) &&
echo "
-w /etc/sudoers -p wa -k scope 
-w /etc/sudoers.d/ -p wa -k scope
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete 
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity 
-w /etc/passwd -p wa -k identity 
-w /etc/gshadow -p wa -k identity 
-w /etc/shadow -p wa -k identity 
-w /etc/security/opasswd -p wa -k identity
" >> /etc/audit/rules.d/audit.rules &&

echo "
# 1.确保收集对系统管理范围的更改
# 2.确保收集用户的文件删除事件
# 3.确保收集修改用户/组信息的事件
" >> ./tx_baseline.out



cp -av /etc/pam.d/system-auth /etc/pam.d/system-auth.$(date +%F_%s) &&
sed -i -r '/password.+sufficient.+pam_unix.so/c\
password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 use_authtok' /etc/pam.d/system-auth &&
sed -i -r '/auth.*required.*pam_env.so/a\
auth required pam_tally2.so deny=5 onerr=fail unlock_time=900 \
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 \
auth [success=1 default=bad] pam_unix.so \
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 \
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 ' /etc/pam.d/system-auth &&
sed -i -r '/account.*required.*pam_unix.so/i\
account required pam_tally2.so '  /etc/pam.d/system-auth &&


cp -av /etc/pam.d/password-auth /etc/pam.d/password-auth.$(date +%F_%s) &&
sed -i -r '/password.+sufficient.+pam_unix.so/c\
password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 use_authtok' /etc/pam.d/password-auth &&
sed -i -r '/auth.*required.*pam_env.so/a\
auth required pam_tally2.so deny=5 onerr=fail unlock_time=900 \
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 \
auth [success=1 default=bad] pam_unix.so \
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 \
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 ' /etc/pam.d/password-auth  &&
sed -i -r '/account.*required.*pam_unix.so/i\
account required pam_tally2.so '  /etc/pam.d/password-auth &&
echo "
# 4.确保限制密码重复使用
# 5.确保配置了密码尝试失败锁定功能
" >> ./tx_baseline.out


cp -av /etc/security/pwquality.conf /etc/security/pwquality.conf.$(date +%F_%s) &&
sed -i -r '/minlen.?=/c minlen=14' /etc/security/pwquality.conf &&
sed -i -r '/minclass.?=/c minclass=3' /etc/security/pwquality.conf &&
if ! grep 'minlen=14' /etc/security/pwquality.conf
then
    echo "
    minlen=14
    minclass=3
"   >> /etc/security/pwquality.conf
fi &&
echo "
# 6.确保配置了密码创建要求
" >> ./tx_baseline.out




cp -av  /etc/ssh/sshd_config  /etc/ssh/sshd_config.$(date +%F_%s) &&
if grep "ClientAliveInterval" /etc/ssh/sshd_config
then 
    sed -i -r '/ClientAliveInterval/c\
ClientAliveInterval 300' /etc/ssh/sshd_config 
else
    echo  '
ClientAliveInterval 300' >> /etc/ssh/sshd_config 
fi &&

if grep "ClientAliveCountMax" /etc/ssh/sshd_config
then
    sed -i -r '/ClientAliveCountMax/c\
ClientAliveCountMax 3' /etc/ssh/sshd_config 
else
    echo '
ClientAliveCountMax 3' >> /etc/ssh/sshd_config
fi &&

if grep "MaxAuthTries" /etc/ssh/sshd_config
then
    sed -i -r '/MaxAuthTries/c\
MaxAuthTries 4' /etc/ssh/sshd_config 
else 
    echo '
MaxAuthTries 4' >> /etc/ssh/sshd_config
fi &&
sed -i '/^ *PermitRootLogin/c\PermitRootLogin no' /etc/ssh/sshd_config &&

sshd -t &&
systemctl restart sshd &&
echo "
# 7.确保 SSH 空闲超时时间间隔已配置
# 8.确保 SSH MaxAuthTries 设置为 4 次或更少
# 8.1.ssh禁止root直连
" >> ./tx_baseline.out



cp -av /etc/login.defs /etc/login.defs.$(date +%F_%s) &&
sed -i -r '/^[^#]*PASS_MIN_DAYS/c PASS_MIN_DAYS 1' /etc/login.defs &&
sed -i -r '/^[^#]*PASS_MAX_DAYS/c PASS_MAX_DAYS 365' /etc/login.defs &&
sed -i -r '/INACTIVE=/c\INACTIVE=365' /etc/default/useradd &&
if ! grep PASS_MAX_DAYS /etc/login.defs
then
    echo "
    PASS_MAX_DAYS 365
    PASS_MIN_DAYS 1
    " >> /etc/login.defs
fi &&
chage -d "$(date +%F)" user_00 &&
chage -m1 user_00 &&
chage -M365 user_00 &&
chage -l user_00 &&
echo "
# 9.确保配置了密码更改之间的最短间隔天数
# 10.确保密码有效期为 365 天或更短
" >> ./tx_baseline.out


cp -av /etc/pam.d/su /etc/pam.d/su.$(date +%F_%s) &&
sed -i -r '1i\auth required pam_wheel.so use_uid group=sugroup' /etc/pam.d/su &&
groupadd sugroup &&
echo "
# 11.确保对 su 命令的访问受到限制
" >> ./tx_baseline.out


cp -av  /etc/audit/auditd.conf  /etc/audit/auditd.conf.$(date +%F_%s) &&
sed -i -r '/max_log_file_action.*=/c max_log_file_action = keep_logs'  /etc/audit/auditd.conf &&
service auditd restart
echo "
# 12.确保审计日志不会被自动删除
" >> ./tx_baseline.out



if ! ss -lantp |grep 2049
then
    yum remove nfs-utils
fi &&
echo "
# 13.确保未安装 nfs-utils 或屏蔽了 nfs-server 服务
" >> ./tx_baseline.out


if ! mount -l | grep -P '(nfs|cifs|ftp)'
then
    rpcinfo -p
    yum remove rpcbind
else
    rpcinfo -p
    echo "
    有挂载，建议询问开发后再卸载此服务
      "
fi &&
echo "
# 14.确保未安装 rpcbind 或屏蔽了 rpcbind 服务
" ./tx_baseline.out


if ! ss -lantp |grep -P '(2049|445)'
then
    systemctl stop avahi-daemon.socket avahi-daemon.service
    yum remove avahi-autoipd avahi
else
    echo "有服务需要，判断是否真的要卸载avahi"
fi &&
echo "
# 15.确保未安装 Avahi 服务器
" >> ./tx_baseline.out


if [ -z "$TMOUT" ]
then
    cp -av  /etc/bashrc  /etc/bashrc.$(date +%F_%s) &&
    echo "typeset -rx TMOUT=900" >> /etc/bashrc
else
    grep TMOUT /etc/profile.d/* /etc/profile /etc/bashrc
fi &&
echo "
# 16.确保配置了默认用户 shell 超时
" >> ./tx_baseline.out



sed -i '/^ *umask/c\umask 027' /etc/bashrc /etc/profile &&
echo "
# 17.确保配置了默认用户 umask
" >> ./tx_baseline.out


sed -i '/^ *PermitRootLogin/c\PermitRootLogin no' /etc/ssh/sshd_config &&
echo "
# 
" >> ./tx_baseline.out